The Significance and Evolution
of End User Privacy
Julie Earp
College of Management
North Carolina State University
WISE 2010
Sponsored by TRUST
June 21-24, 2010: Vanderbilt University
How do you feel about
information privacy?
How do others feel
about it?
In the news…
In the news…
In the news…
In the news…
In the news…
In the news…
In the news…
Facebook in the news…
In the news…
In the news…
The People Factor
• People are the weakest link!!!
– Phishing schemes
– Opening email attachments
– Easy to guess passwords
– The desire to trust
– Unknowledgeable
• User study presented at the IEEE Symp. on
Security and Privacy, 2007
– 100% ignored the absence of HTTPS
– 97% ignored the absence of site authentication image
– 53% ignored invalid certificate message from browser
What’s going on?
Thanks to Jeff Crume, IBM,
for this image and idea.
Websites and How They
Influence Behavior
• What kind of organization is it?
• How reputable is the organization?
• How old is the consumer?
Innovative Web Use to Learn about Consumer Behavior and Online Privacy,
Julia B. Earp and David Baumer, Communications of the ACM, 2003.
• Is the consumer male or female?
Privacy Taxonomy
•
Privacy Protection
Goals
–
–
–
–
–
Access/Participation
Choice/Consent
Enforcement/Redress
Integrity/Security
Notice/Awareness
•
Privacy Vulnerabilities
–
–
–
–
–
–
–
Information Aggregation
Information Collection
Information Monitoring
Personalization
Solicitation
Information Storage
Information Transfer
A Requirements Taxonomy to Reduce Website Privacy
Vulnerabilities,
Annie I. Antón and Julie B. Earp.
Requirements Engineering Journal, 2004.
Privacy Values 2002
[IEEE Trans. On Engineering Management, 2005]
•
Data was collected from 1005 Internet users in 2002 to
establish a privacy values baseline for correlation with
our privacy protection goals and privacy vulnerabilities
taxonomy.
•
Consumers were most concerned with (in order):
– information transfer
– notice/awareness
– information storage
What influential events
have occurred since
2002?
What has happened since
2002?
• E-commerce
– $ spent on e-commerce has more than tripled
• Social Networking
– Linked In now has more than 39 million members
– Facebook has more than 200 million active users
• Complaints of ID Theft
– More than doubled
• State legislation
– Data Breach Notification Laws
• HIPAA Compliance Deadlines
What have the data breach
notification laws done?
Privacy Values 2008
Follow-up survey of Internet users
worldwide
2,094
usable responses
Privacy Values 2008
• Respondents use the Internet more often now
(p < 0.0001)
• Respondents purchase more frequently online
now
(p < 0.0001)
Have user concerns changed?
• The top three information privacy concerns
continue to be
– information transfer,
– notice/awareness,
– information storage.
• The difference lies with the individuals’ level of
concern
Concern #1:
Information Transfer
• Respondents are more concerned about
– Disclosing purchasing patterns to 3rd parties
(p value = .0087)
– Trading or selling PII to 3rd parties
(p value = .0013)
• What has caused these changes?
– Reports about increase in fraud and identity theft
complaints being filed
– News stories pertaining to data brokers and data
breaches
Concern #2:
Notice / Awareness
• Respondents now want to know:
– About security safeguards used to protect their PII
(p value =.0029)
• Respondents are less concerned about
– Having the option to decide how their PII is used
(p < .0001)
– Changes in privacy practices
(p < .0001)
– Disclosures concerning PII use
(p = .0144)
– Previously undisclosed changes in the way PII is used
(p = .0002)
Concerns #3 and 4
• Information Storage
– No significant changes since 2002
• Access/Participation
– No significant changes since 2002
Concern #5:
Information Collection
• Respondents are more concerned about
– Recording of previously visited web site
(p value = .0002)
Concern #6:
Personalization
• Respondents are more concerned about PII
used:
– to customize their browsing experience
(p < .0001)
– to monitor their purchasing patterns
(p < .0001)
– for marketing and research
(p = .0308)
• Respondents are less concerned about:
– websites using cookies (p = .0391)
U.S. vs International Concerns
in 2008
• U.S. respondents’ top concerns in 2008
– #1 information transfer
– #2 notice/awareness
– #3 information storage
• Non-U.S. respondents’ top concerns in 2008
– #1 information transfer
– #2 information storage
– #3 notice/awareness.
U.S. vs International Concerns
in 2008
• Specifically, individuals in the U.S. are more
concerned about
– (a) the disclosure of their purchasing patterns and
information to third parties
– (b) their personally identifiable information being
traded with or sold to third parties
U.S. Respondents are
Significantly More Concerned…
• Ages 22-28
– about websites disclosing individuals’ purchasing
patterns to third parties
– about wanting to know how their PII will be used
• Ages 29-35
– about general consumer information being shared
with third parties
• Ages 22-35
– about PII being traded with or sold to third parties
Non-U.S. Respondents are
Significantly More Concerned…
• Ages 22-28
– about unauthorized employees and/or unauthorized
hackers gaining access to their information.
– about a website he/she visits collecting information
about browser configurations or IP address, without
an individual’s consent.
• Ages 29-35
– about wanting a website to allow individuals to check
their PII for accuracy.
• Ages 36-42
– about a website he/she visits collecting information
about browsing
Key Takeaways
• People have different views, concerns and
strategies with regard to information privacy
• We must incorporate these concerns into our
systems
• There are many user studies that will allow you
to learn about the users
• Conduct your own user studies if necessary